Como Utilizar o Microsoft Intune para Enviar Certificados WiFi para Dispositivos

Uma referência técnica abrangente para líderes de TI sobre a implementação de certificados WiFi 802.1X via Microsoft Intune. Abrange a arquitetura SCEP vs PKCS, passos de implementação, mapeamento de conformidade e cenários de implementação reais para ambientes empresariais.

📖 7 GuidesSlugPage.minRead📝 1,541 GuidesSlugPage.words🔧 2 GuidesSlugPage.workedExamples❓ 3 GuidesSlugPage.practiceQuestions📚 8 GuidesSlugPage.keyDefinitions

GuidesSlugPage.podcastTitle

GuidesSlugPage.podcastTranscript

HOW TO USE MICROSOFT INTUNE TO PUSH WIFI CERTIFICATES TO DEVICES
A Purple Enterprise WiFi Intelligence Briefing

[INTRODUCTION & CONTEXT — approximately 1 minute]

Welcome back. I'm speaking today on behalf of Purple, the enterprise WiFi intelligence platform, and this episode is a focused briefing on one of the most practical — and honestly, most underrated — capabilities in the Microsoft Intune toolkit: automated certificate deployment for 802.1X WiFi authentication.

If you're managing WiFi across a hotel estate, a retail chain, a stadium, or a public-sector estate, you'll know the pain point I'm about to describe. You've got hundreds or thousands of managed devices. You want them to connect to your corporate WiFi automatically, securely, without users typing passwords, without IT touching every single device. And you want that connection to be cryptographically strong — not just a shared password that someone's already emailed to half the organisation.

That's exactly what Intune certificate deployment solves. And in the next nine minutes, I'm going to walk you through how it works, how to deploy it, and the pitfalls that catch most teams out on the first attempt.

[TECHNICAL DEEP-DIVE — approximately 5 minutes]

Let's start with the architecture. The foundation here is IEEE 802.1X — the port-based network access control standard that's been the backbone of enterprise WiFi security for over two decades. When a device connects to your WiFi, 802.1X requires it to authenticate before it gets any network access. The authentication conversation happens between three parties: the device — called the supplicant — your WiFi access point, which acts as the authenticator, and your RADIUS server, which is the authentication server that makes the final decision.

Now, 802.1X supports multiple authentication methods. The most secure is EAP-TLS — Extensible Authentication Protocol with Transport Layer Security. EAP-TLS uses mutual certificate authentication: the device presents a certificate to prove its identity, and the RADIUS server presents a certificate to prove its identity. No passwords involved. No credentials that can be phished. This is what we're aiming for.

The challenge has always been getting those certificates onto devices at scale. That's where Microsoft Intune comes in.

Intune supports two certificate deployment mechanisms: SCEP — Simple Certificate Enrollment Protocol — and PKCS, which stands for Public Key Cryptography Standards. Understanding the difference matters.

With SCEP, the private key is generated on the device itself. The device creates a Certificate Signing Request, sends it to your Certificate Authority via an intermediary server called NDES — the Network Device Enrollment Service — and the CA issues the certificate back. The private key never leaves the device. This is the more secure approach and is recommended for BYOD environments and high-security deployments.

With PKCS, the Certificate Authority generates the key pair, and the Intune Certificate Connector delivers the private key and certificate to the device. It's simpler to set up — no NDES server required — but the private key does transit through the connector, which is a consideration for your security posture.

For most enterprise deployments I'd recommend SCEP for BYOD and mixed-device environments, and PKCS where you have a homogeneous fleet of corporate-owned Windows devices and want to minimise infrastructure complexity.

Now, let's talk about the deployment sequence — because the order matters and getting it wrong is the most common cause of failed rollouts.

Step one: configure your Certificate Authority. You need a certificate template on your Active Directory Certificate Services instance — or if you're fully cloud-native, Microsoft's Intune Cloud PKI is now generally available and removes the on-premises CA requirement entirely. The template needs the correct key usage extensions: Client Authentication is mandatory. Set the minimum key size to 2048 bits, or 4096 if your organisation's security policy requires it.

Step two: deploy the trusted root certificate. Before any device can validate the RADIUS server's certificate, it needs to trust the CA that issued it. You create a Trusted Certificate configuration profile in Intune, upload the root CA certificate, and assign it to your device groups. This must land on devices before any WiFi profile or client certificate profile. If you get the sequencing wrong, devices will reject the RADIUS server and you'll spend an afternoon staring at Event ID 20271 in the Windows event log.

Step three: deploy the client certificate profile. This is either your SCEP profile — pointing at your NDES server URL — or your PKCS profile, pointing at your Certificate Authority. The Subject Alternative Name should include the User Principal Name for user certificates, or the AAD Device ID for device certificates. This distinction matters: user certificates authenticate the logged-in user, device certificates authenticate the machine itself, which means the device can connect to WiFi before a user logs in — useful for domain join scenarios and kiosk deployments.

Step four: create the WiFi configuration profile. In Intune, this is under Devices, Configuration Profiles, Templates, Wi-Fi. Set the WiFi type to Enterprise, enter your SSID, set EAP type to EAP-TLS, configure the server trust settings — this is where you reference the RADIUS server certificate name — and for client authentication, reference the certificate profile you created in step three.

Step five: assign everything to the right groups and validate. Assign your root certificate, client certificate, and WiFi profiles to the same device or user groups. Use Intune's built-in reporting to monitor profile deployment status. A successful deployment shows all three profiles as Succeeded in the device's configuration profile list.

One critical point on NPS configuration for Windows Server environments: from early 2024, Microsoft tightened certificate mapping requirements. If you're using device certificates with Azure AD-joined devices authenticating against on-premises NPS, you need to ensure the altSecurityIdentities attribute on the computer object in Active Directory is populated with the certificate's thumbprint. This doesn't happen automatically — you need a script or a workflow to handle it, typically triggered when the CA issues a new certificate.

[IMPLEMENTATION RECOMMENDATIONS & PITFALLS — approximately 2 minutes]

Let me give you the three pitfalls that I see most frequently in enterprise deployments.

Pitfall one: certificate chain gaps. The device needs to trust every certificate in the chain from the root CA down to the RADIUS server's certificate. If your RADIUS server certificate was issued by an intermediate CA, you need to deploy both the root and the intermediate to devices. I've seen deployments fail for weeks because someone deployed the root but not the intermediate.

Pitfall two: profile assignment timing. Intune profiles don't land on devices instantaneously. In a large estate, it can take 15 to 30 minutes for profiles to propagate after assignment. Don't test immediately after creating profiles. Use the Sync button in the Intune portal to force a check-in, then wait. Also, client certificate profiles must be deployed and confirmed before the WiFi profile is applied — if the WiFi profile references a certificate that doesn't exist yet, the profile will fail silently on some platforms.

Pitfall three: BYOD certificate revocation. When a device is unenrolled from Intune — because an employee leaves, or a device is lost — you need a process to revoke the certificate. If you're using SCEP with ADCS, configure the Certificate Revocation List distribution point correctly and ensure your RADIUS server is checking CRL or OCSP on every authentication. This is a compliance requirement under frameworks like PCI DSS, which mandates that access control mechanisms be revoked promptly when no longer needed.

On the topic of compliance: if you're operating in a PCI DSS scope — retail payment environments, for example — certificate-based 802.1X authentication is your strongest control for wireless network access. It satisfies PCI DSS Requirement 1.3 around network access controls and Requirement 8.6 around authentication factors. Document your certificate lifecycle management process as part of your compliance evidence.

For GDPR-regulated environments, particularly in hospitality and public-sector, the separation between your corporate 802.1X network and your guest WiFi network is critical. Your corporate Intune-managed network should be on a completely separate VLAN and SSID from any guest or visitor network. Purple's guest WiFi platform handles the visitor-facing side — captive portal, consent capture, analytics — while your Intune-managed corporate network handles staff and operational devices. These two networks should never share authentication infrastructure.

[RAPID-FIRE Q&A — approximately 1 minute]

Let me run through a few questions that come up regularly.

Can I use Intune Cloud PKI instead of on-premises ADCS? Yes. Microsoft's Intune Cloud PKI, released in 2024, provides a fully managed CA in Azure. It removes the NDES server requirement for SCEP and simplifies the connector setup significantly. For greenfield deployments or organisations without existing ADCS infrastructure, it's the recommended path.

Does this work for macOS and iOS devices? Yes. Intune supports certificate profiles for Windows, iOS, iPadOS, Android, and macOS. The profile types and configuration options vary slightly by platform, but the core architecture — trusted root, client certificate, WiFi profile — is consistent.

What about personal devices in a BYOD programme? SCEP is your friend here. With Intune's device compliance policies, you can require that a device meets minimum security standards before a certificate is issued. If the device falls out of compliance — no screen lock, outdated OS — the certificate can be revoked and network access removed automatically.

Can Purple integrate with this architecture? Absolutely. Purple's platform sits on the guest network side, handling captive portal authentication, consent management, and analytics. The corporate 802.1X network and Purple's guest WiFi operate in parallel — same physical infrastructure, different SSIDs and VLANs — giving you complete separation between staff connectivity and visitor engagement.

[SUMMARY & NEXT STEPS — approximately 1 minute]

To wrap up: deploying WiFi certificates via Intune is a five-step process — CA configuration, trusted root deployment, client certificate profile, WiFi profile, and group assignment. Choose SCEP for BYOD and high-security environments; PKCS for simpler corporate-owned fleets. Get the sequencing right, handle the NPS certificate mapping requirement, and build a certificate revocation workflow from day one.

The business case is straightforward: you eliminate shared WiFi passwords, you get per-device and per-user authentication logs, you satisfy PCI DSS and ISO 27001 wireless security requirements, and you reduce the IT overhead of managing WiFi credentials across a large estate.

If you're planning a deployment and want to understand how Purple's guest WiFi and analytics platform fits alongside your corporate network architecture, visit purple.ai. We've got detailed guides on Azure Entra ID integration, 802.1X architecture, and guest network design for hospitality, retail, and public-sector environments.

Thanks for listening. Until next time.

GuidesSlugPage.keyTakeawaysTitle

✓EAP-TLS is the industry standard for secure enterprise WiFi, replacing vulnerable shared passwords with mutual certificate authentication.
✓Microsoft Intune automates the delivery of these certificates at scale, eliminating manual IT overhead.
✓SCEP is recommended for BYOD and high-security environments because the private key never leaves the device.
✓PKCS is suitable for corporate-owned, fully managed device fleets due to its simpler infrastructure requirements.
✓Profile sequencing is critical: always deploy the Trusted Root CA first, the Client Certificate second, and the WiFi profile last.
✓Corporate 802.1X networks must be logically separated from visitor networks (like those managed by Purple Guest WiFi) to maintain security boundaries.
✓For Windows NPS environments, ensure the Active Directory computer object's altSecurityIdentities attribute is mapped to the device certificate to prevent authentication failures.

Resumo Executivo

Para líderes de TI empresariais que gerem ambientes de grande escala em Hotelaria , Retalho ou locais do setor público, o acesso sem fios seguro é um requisito operacional básico. Confiar em PSKs partilhadas (Pre-Shared Keys) ou autenticação por nome de utilizador/palavra-passe (PEAP-MSCHAPv2) expõe a rede a roubo de credenciais, phishing e falhas de conformidade. O padrão da indústria para segurança WiFi empresarial robusta é 802.1X com EAP-TLS (Extensible Authentication Protocol com Transport Layer Security), que exige autenticação mútua baseada em certificados entre o dispositivo e a rede.

No entanto, a principal barreira à adoção do EAP-TLS tem sido historicamente a sobrecarga operacional da gestão do ciclo de vida dos certificados. O Microsoft Intune resolve isto automatizando a entrega, renovação e revogação de certificados digitais para dispositivos geridos em escala.

Esta referência técnica detalha a arquitetura, metodologias de implementação (SCEP vs PKCS) e passos de implementação necessários para enviar certificados WiFi via Microsoft Intune. Fornece orientação acionável para arquitetos de rede e engenheiros de sistemas encarregados de proteger as comunicações corporativas, mantendo uma separação rigorosa das redes de visitantes, como as geridas por uma plataforma Guest WiFi .

Análise Técnica Aprofundada: Arquitetura e Protocolos

Para implementar a autenticação baseada em certificados de forma eficaz, as equipas de TI devem compreender a interação entre a plataforma de Gestão de Dispositivos Móveis (MDM), a Infraestrutura de Chave Pública (PKI) e a camada de controlo de acesso à rede.

A Estrutura de Autenticação 802.1X

O padrão IEEE 802.1X define o controlo de acesso à rede baseado em porta. Num contexto sem fios, impede que um dispositivo transmita qualquer tráfego (além de frames de autenticação EAP) até que a sua identidade seja verificada. A arquitetura consiste em três componentes:

Suplicante: O dispositivo cliente (portátil, smartphone, tablet) que solicita acesso à rede.
Autenticador: O ponto de acesso sem fios ou controlador de LAN sem fios que bloqueia o tráfego até que a autenticação seja bem-sucedida.
Servidor de Autenticação: O servidor RADIUS (Remote Authentication Dial-In User Service), como o Microsoft Network Policy Server (NPS) ou Cisco ISE, que valida as credenciais e autoriza o acesso.

EAP-TLS e Autenticação Mútua

EAP-TLS é o método EAP mais seguro porque exige autenticação mútua. O servidor RADIUS apresenta o seu certificado ao suplicante para provar que é a rede corporativa legítima (prevenindo ataques evil-twin), e o suplicante apresenta o seu certificado de cliente ao servidor RADIUS para provar que é um dispositivo ou utilizador autorizado.

Mecanismos de Implementação de Certificados Intune: SCEP vs PKCS

O Microsoft Intune suporta dois protocolos primários para implementar certificados de cliente em dispositivos. Selecionar o mecanismo apropriado é uma decisão arquitetónica crítica.

Protocolo de Inscrição de Certificados Simples (SCEP)

Com SCEP, a chave privada é gerada diretamente no dispositivo cliente. O dispositivo cria um Pedido de Assinatura de Certificado (CSR) e submete-o via Intune para o servidor Network Device Enrollment Service (NDES), que atua como um proxy para a infraestrutura Active Directory Certificate Services (ADCS). A CA emite o certificado, que é devolvido ao dispositivo.

Como a chave privada nunca sai do dispositivo, o SCEP é considerado altamente seguro e é a abordagem recomendada para implementações BYOD (Bring Your Own Device) e arquiteturas de confiança zero.

Padrões de Criptografia de Chave Pública (PKCS)

Com PKCS, o Conector de Certificados Intune solicita o certificado à CA em nome do dispositivo. A CA gera tanto o certificado público quanto a chave privada, que o conector entrega de forma segura ao dispositivo via Intune.

Embora o PKCS simplifique os requisitos de infraestrutura (não é necessário um servidor NDES), a chave privada é transmitida pela rede. Este modelo é geralmente aceitável para frotas de dispositivos corporativos, totalmente geridos, onde a plataforma MDM já é um componente altamente confiável.

Guia de Implementação: Implementação Passo a Passo

A implementação de certificados WiFi via Intune requer sequenciamento preciso. A implementação de perfis fora de ordem é a causa mais comum de falha na implementação.

Passo 1: Preparar a Infraestrutura de Chave Pública (PKI)

Quer utilize ADCS no local ou uma solução nativa da cloud como o Microsoft Cloud PKI, a Autoridade de Certificação deve ser configurada com os modelos apropriados.

Utilização da Chave: O modelo deve incluir o OID Client Authentication (1.3.6.1.5.5.7.3.2).
Tamanho da Chave: Configure um tamanho mínimo de chave de 2048 bits (RSA) para alinhar com os padrões criptográficos modernos.
Nome do Assunto: Para certificados de utilizador, o Subject Alternative Name (SAN) deve ser configurado para usar o User Principal Name (UPN). Para certificados de dispositivo, use o Azure AD Device ID.

Passo 2: Implementar o Certificado Raiz Confiável

Antes que um dispositivo possa autenticar, ele deve confiar na CA que emitiu o certificado do servidor RADIUS.

Exporte o certificado da CA Raiz (e quaisquer certificados de CA intermédios) em .cer" formato.
No centro de administração do Intune, navegue para Dispositivos > Perfis de configuração > Criar perfil.
Selecione a plataforma e escolha o tipo de perfil Certificado fidedigno.
Carregue o ficheiro .cer e atribua o perfil ao dispositivo de destino ou a grupos de utilizadores.

Nota: Este perfil deve ser aplicado com sucesso aos dispositivos antes de prosseguir para os próximos passos.

Passo 3: Implementar o Perfil de Certificado de Cliente

Crie um perfil de certificado SCEP ou PKCS para entregar o certificado de identidade ao requerente.

Navegue para Dispositivos > Perfis de configuração > Criar perfil.
Selecione a plataforma e escolha Certificado SCEP ou Certificado PKCS.
Configure o formato do Nome do Assunto e SAN de acordo com os seus requisitos de identidade (Utilizador vs. Dispositivo).
Especifique o Fornecedor de Armazenamento de Chaves (KSP) — tipicamente o Trusted Platform Module (TPM) para segurança baseada em hardware.
Atribua o perfil aos mesmos grupos visados no Passo 2.

Passo 4: Configurar o Perfil WiFi

O componente final associa os certificados às definições da rede sem fios.

Navegue para Dispositivos > Perfis de configuração > Criar perfil.
Selecione a plataforma e escolha o tipo de perfil Wi-Fi.
Defina o tipo de Wi-Fi para Empresarial e introduza o SSID exato.
Defina o tipo EAP para EAP-TLS.
Em Confiança do Servidor, especifique o nome exato do certificado do servidor RADIUS e selecione o perfil de certificado de Raiz Fidedigna implementado no Passo 2.
Em Autenticação de Cliente, selecione o perfil de certificado SCEP ou PKCS implementado no Passo 3.
Atribua o perfil aos grupos de destino.

Melhores Práticas e Recomendações Estratégicas

Certificados de Dispositivo vs. Utilizador

Os arquitetos de rede devem decidir se emitem certificados para o dispositivo (autenticação de máquina) ou para o utilizador (autenticação de utilizador).

Certificados de Dispositivo: Permitem que a máquina se conecte à rede WiFi antes de um utilizador iniciar sessão. Isto é crítico para o aprovisionamento inicial do dispositivo, processamento de Política de Grupo e redefinições de palavra-passe no ecrã de início de sessão. Recomendado para dispositivos empresariais.
Certificados de Utilizador: Vinculam o acesso à rede à identidade do indivíduo. Isto fornece auditoria granular e controlo de acesso baseado em funções. Recomendado para cenários BYOD.

Segmentação de Rede e Acesso de Convidado

Um princípio de segurança fundamental é a separação lógica estrita da rede corporativa 802.1X das redes de acesso de visitantes ou públicas. A infraestrutura gerida pelo Intune deve ser dedicada exclusivamente a dispositivos corporativos e pessoal autenticado.

Para acesso de visitantes, as organizações devem implementar um SSID Guest WiFi dedicado, suportado por um captive portal. Isto garante que os dispositivos não geridos são isolados, ao mesmo tempo que permite à empresa capturar análises de visitantes através de uma plataforma WiFi Analytics . Para saber mais sobre como proteger a infraestrutura DNS em ambos os segmentos, consulte o nosso guia sobre como Proteger a Sua Rede com DNS e Segurança Robustos .

Abordar o Requisito de Mapeamento de Certificados NPS

Para organizações que utilizam o Microsoft Network Policy Server (NPS) com dispositivos associados ao Azure AD, foi introduzida uma alteração de configuração crítica pela Microsoft. O NPS agora requer um mapeamento de certificados robusto.

Ao utilizar certificados de dispositivo, o objeto de computador no Active Directory no local deve ter o seu atributo altSecurityIdentities preenchido com os detalhes do certificado (tipicamente o X509IssuerSerialNumber). As equipas de TI devem implementar um script agendado ou um fluxo de trabalho orientado por eventos para atualizar este atributo quando o Intune emitir um novo certificado, caso contrário, a autenticação falhará.

Resolução de Problemas e Mitigação de Riscos

Quando uma implementação 802.1X falha, o problema reside quase sempre na cadeia de certificados ou na sequência de perfis do Intune.

Modos de Falha Comuns

Falha Silenciosa do Perfil WiFi: Se o perfil WiFi do Intune for aplicado a um dispositivo antes de o certificado de cliente ter sido aprovisionado com sucesso, o perfil WiFi frequentemente não será instalado ou falhará silenciosamente. Verifique sempre a presença do certificado na loja Pessoal do dispositivo (certmgr.msc no Windows) antes de resolver problemas na configuração WiFi.
Erros de Validação de Confiança do Servidor: Se o dispositivo rejeitar o servidor RADIUS, verifique se o nome do servidor especificado no perfil WiFi do Intune corresponde exatamente ao Nome do Assunto ou SAN no certificado do servidor RADIUS. Além disso, garanta que toda a cadeia de certificados (Raiz e Intermédio) está presente na loja de Autoridades de Certificação de Raiz Fidedigna do dispositivo.
Indisponibilidade da Lista de Revogação de Certificados (CRL): Se o servidor RADIUS não conseguir alcançar o ponto de distribuição CRL da CA para verificar o estado do certificado do cliente, a autenticação será negada. Garanta que o URL da CRL está altamente disponível e acessível a partir do servidor RADIUS.

ROI e Impacto no Negócio

A transição para a autenticação WiFi baseada em certificados via Intune oferece retornos operacionais e de segurança significativos.

Mitigação de Riscos: Elimina o risco de recolha de credenciais, ataques pass-the-hash e acesso não autorizado à rede via PSKs partilhadas.
Eficiência Operacional: Reduz os tickets do helpdesk de TI relacionados com expirações de palavra-passe e problemas de conectividade WiFi. A gestão automatizada do ciclo de vida significa que os certificados são renovados de forma transparente sem intervenção do utilizador.
Habilitação de Conformidade: Satisfaz requisitos regulamentares rigorosos. Para ambientes de retalho, aborda diretamente os requisitos PCI DSS para encriptação e autenticação sem fios robustas. Para o setor público e saúde, alinha-se com os princípios de acesso à rede de confiança zero (ZTNA).

Ao alavancar o Microsoft Intune para a implementação de certificados, as equipas de TI podem alcançar uma experiência sem fios sem atritos e altamente segura que opera silenciosamente em segundo plano, permitindo que o negócio se concentre nas operações principais.

GuidesSlugPage.keyDefinitionsTitle

802.1X

An IEEE standard for port-based network access control that prevents unauthorized devices from accessing a LAN or WLAN until they successfully authenticate.

The foundational security protocol that replaces shared WiFi passwords with enterprise-grade authentication in corporate environments.

EAP-TLS

Extensible Authentication Protocol with Transport Layer Security. An authentication framework that requires both the client and the server to prove their identities using digital certificates.

The specific protocol configured in the Intune WiFi profile to enforce mutual certificate authentication, eliminating the risk of credential theft.

SCEP

Simple Certificate Enrollment Protocol. A mechanism where the client device generates its own private key and requests a certificate from the CA via an intermediary server.

The preferred deployment method for BYOD environments because the private key is never transmitted across the network.

PKCS

Public Key Cryptography Standards. In the context of Intune, a deployment method where the CA generates the private key and the Intune Connector securely delivers it to the device.

A simpler deployment architecture often used for corporate-owned device fleets, as it removes the need for an NDES server.

NDES

Network Device Enrollment Service. A Microsoft server role that acts as a proxy, allowing devices running without domain credentials to obtain certificates from an Active Directory Certificate Authority.

A mandatory infrastructure component when deploying certificates via SCEP in an on-premises ADCS environment.

RADIUS

Remote Authentication Dial-In User Service. A networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management.

The server (like Microsoft NPS or Cisco ISE) that receives the authentication request from the WiFi access point and validates the device's certificate.

Supplicant

The software client on the end-user device (laptop, smartphone) that initiates the 802.1X authentication process.

The Intune WiFi profile configures the native OS supplicant (e.g., Windows WLAN AutoConfig) to use the correct certificates and EAP methods.

Certificate Revocation List (CRL)

A digitally signed list published by the Certificate Authority containing the serial numbers of certificates that have been revoked and should no longer be trusted.

Crucial for security compliance; the RADIUS server must check the CRL to ensure a connecting device hasn't been reported lost or stolen.

GuidesSlugPage.workedExamplesTitle

A 400-location retail chain is deploying corporate-owned tablets for inventory management. The devices are fully managed via Intune and joined to Azure AD. They need immediate network access upon boot to sync inventory databases, before any specific user logs in. The network infrastructure uses Cisco ISE as the RADIUS server. What is the optimal certificate deployment strategy?

The IT team should implement PKCS device certificates.

Configure a device certificate template on the CA.
Deploy the Root CA certificate to the tablets via Intune.
Create a PKCS certificate profile in Intune, setting the Subject Name format to the Azure AD Device ID ({{AAD_Device_ID}}).
Create an Enterprise WiFi profile specifying EAP-TLS, referencing the ISE server's certificate name and the deployed PKCS profile.
Assign all profiles to the device group containing the tablets.

GuidesSlugPage.examinerCommentary PKCS is appropriate here because the devices are corporate-owned and fully managed, reducing the risk associated with private key transit. Device certificates are mandatory because the tablets require network access prior to user login. By targeting the Azure AD Device ID, Cisco ISE can authenticate the specific hardware asset and assign it to the correct restricted inventory VLAN.

A large teaching hospital allows medical staff to use their personal smartphones (BYOD) to access clinical scheduling applications. The devices are enrolled in Intune via a Work Profile. Security policy mandates that no corporate credentials be stored on personal devices, and network access must be revoked immediately if a device is compromised. How should the WiFi authentication be designed?

The hospital must implement SCEP user certificates combined with Intune Compliance Policies.

Deploy an NDES server to proxy requests to the CA.
Create a SCEP user certificate profile in Intune, with the SAN configured to the User Principal Name ({{UserPrincipalName}}).
Create an Intune Compliance Policy requiring a minimum OS version, an active screen lock, and no jailbreak/root access.
Configure the CA to publish a highly available Certificate Revocation List (CRL).
Configure the RADIUS server to strictly enforce CRL checking on every authentication attempt.

GuidesSlugPage.examinerCommentary SCEP is the only acceptable choice for BYOD because the private key is generated on the personal device and cannot be intercepted. User certificates are required to tie network activity to the specific clinician for HIPAA/GDPR auditing. The critical component is the integration with Intune Compliance Policies; if a device becomes non-compliant, Intune can trigger certificate revocation, and the RADIUS server's CRL check will immediately block network access.

GuidesSlugPage.practiceQuestionsTitle

Q1. Your organisation is migrating from PEAP-MSCHAPv2 (username/password) to EAP-TLS for the corporate WiFi. During the pilot phase, several Windows 11 laptops receive the Intune configuration profiles successfully but fail to connect to the network. Reviewing the Windows Event Logs shows Event ID 20271 indicating the RADIUS server certificate was rejected. What is the most likely cause?

GuidesSlugPage.hintPrefixConsider the chain of trust required for mutual authentication.

GuidesSlugPage.viewModelAnswer

The devices lack the Trusted Root CA certificate that issued the RADIUS server's certificate. In EAP-TLS, the device must validate the RADIUS server's identity. The IT team must ensure the 'Trusted certificate' profile containing the Root CA (and any Intermediate CAs) is deployed to the devices via Intune and successfully installed before the WiFi profile attempts to connect.

Q2. A public sector venue is deploying 802.1X for staff devices using Intune and PKCS certificates. They also operate a separate visitor network managed by a Guest WiFi platform. An auditor notes that if a staff laptop is stolen, the certificate remains valid for 12 months. How should the network architect address this risk?

GuidesSlugPage.hintPrefixHow does the authentication server know a certificate is no longer valid before it expires?

GuidesSlugPage.viewModelAnswer

The architect must implement a robust Certificate Revocation workflow. First, ensure the CA publishes a Certificate Revocation List (CRL) to a highly available distribution point. Second, configure the RADIUS server (e.g., NPS) to mandate CRL checking during every authentication attempt. Finally, establish an Intune operational procedure to explicitly revoke the certificate of any device marked as lost or stolen, which updates the CRL and blocks network access.

Q3. You are designing the Intune deployment for a fleet of shared kiosk devices in a retail environment. These devices reboot daily and must immediately connect to the corporate network to download updates before any user interacts with them. Should you deploy User certificates or Device certificates, and what Subject Alternative Name (SAN) format should be used?

GuidesSlugPage.hintPrefixConsider the state of the device immediately after a reboot.

GuidesSlugPage.viewModelAnswer

You must deploy Device certificates. Because the kiosks need network access before a user logs in, a User certificate would be unavailable at boot time. The Subject Alternative Name (SAN) in the Intune certificate profile should be configured to use the Azure AD Device ID ({{AAD_Device_ID}}) or the device's fully qualified domain name, allowing the RADIUS server to authenticate the specific hardware asset.